Daily Brief

Cloudflare's attempt to block a phishing URL on their R2 platform inadvertently led to a widespread outage, affecting multiple services for nearly an hour. The mishap occurred when an employee mistakenly disabled the entire R2 Gateway instead of the individual abusive endpoint, following a report of abuse. The disruption, lasting from 08:10 to 09:09 UTC, impacted not only R2 Object Storage but also indirectly affected other services with issues like increased error rates and latency spikes. Cloudflare acknowledged that a lack of proper safeguards and training contributed to the incident, highlighting human error and system-level control failures. Immediate remedial actions taken by Cloudflare include removing the ability to disable systems through the abuse review interface and adding restrictions in the Admin API to prevent similar occurrences. Future preventive measures planned by Cloudflare include better account provisioning, stricter access controls, and a two-party approval process for high-risk actions. This event follows another significant outage in November 2024 where Cloudflare faced a 3.5-hour downtime due to a misconfiguration, leading to a substantial data loss.

DeepSeek's iOS app found transmitting sensitive data without encryption, vulnerable to both passive and active cyberattacks. Security audit conducted by NowSecure uncovered multiple encryption flaws including the use of outdated 3DES algorithm, hard-coded keys, and repeated initialization vectors. The app's design globally disables iOS's App Transport Security, enabling unencrypted data transmissions. DeepSeek's server data is managed by Volcano Engine, a platform owned by China's ByteDance, raising concerns about data privacy. Cybersecurity firms have observed the use of AI technologies from DeepSeek for developing information stealers and optimizing spam scripts. U.S. lawmakers and several international governments have pushed for bans on government devices due to privacy concerns tied to DeepSeek’s Chinese connections. The app’s popularity surge has led to exploitation by cybercriminals, including DDoS attacks and fraudulent schemes.

Microsoft identified a bug preventing Windows 11, version 24H2, installed via certain media from receiving further security updates. The issue affects installations done from media that includes the October 2024 or November 2024 security updates. It does not affect installations via Windows Update or the Microsoft Update Catalog with updates from December 2024 or later. As a solution, Microsoft recommends reinstalling Windows 11 using updated installation media containing the December 2024 security update or newer. Microsoft tagged the issue as resolved on their Windows release health dashboard, suggesting the workaround as remediation. An unrelated bug was also acknowledged, affecting non-admin users' ability to change the time zone settings, with a fix expected in February 2025's updates. Until the comprehensive fix, users can adjust date and time settings via the Windows Control Panel.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding active exploitation of a vulnerability in Trimble Cityworks software. The flaw, identified as CVE-2025-0994 with a CVSS v4 score of 8.6, involves deserialization of untrusted data, allowing remote code execution on Microsoft IIS web servers. Trimble has patched the vulnerability as of January 29, 2025, but reports indicate ongoing attacks against users of the software. Attackers are exploiting the vulnerability to deploy a Rust-based loader which then launches Cobalt Strike and a Go-based VShell remote access tool, among other payloads. The identity of the attackers and their ultimate objectives remain unclear. CISA and Trimble have urged users of affected Cityworks versions to update their software immediately to mitigate risk. Indicators of compromise (IoCs) have been released by Trimble to help organizations detect and respond to potential breaches stemming from this vulnerability.

The UK has introduced a new Cyber Monitoring Centre (CMC) to categorize the severity of cybersecurity incidents with a scale similar to the Saffir-Simpson hurricane scale. This initiative, led by notable figures in the cyber insurance industry and cybersecurity experts, aims to provide clear assessments of systemic cyber events. The CMC's classification system ranges from 1 to 5, reflecting the financial impact and the number of organizations affected by a cyber incident. Criteria for categorization include incident response costs, notification costs, ransom payments, and other financial fallout, excluding post-incident liability payments or fines. The system is intended to help define terms and conditions for cyber insurance policies, aiding insurers, reinsurers, policyholders, and risk managers in understanding coverage implications. The CMC also aims to provide insights that could inform future regulations and aid in governmental understanding of cybercrime impacts. Despite its initial focus on the insurance industry, the CMC's data could offer broader societal benefits, informing policymakers and the general public.

AI technology is rapidly transforming the landscape of social engineering attacks, using advanced techniques to manipulate individuals and breach security defenses at unprecedented scales. Traditional defense mechanisms are proving inadequate against the next generation of AI-powered cyber attacks, which include realistic impersonations and sophisticated phishing schemes, leading to major data breaches. Impersonation attacks have evolved from using silicone masks and staged settings to employing video deepfakes and voice cloning technologies, significantly enhancing the authenticity and effectiveness of these scams. Voice phishing (vishing) now utilizes AI to clone voices from brief audio samples, bypassing traditional security advice such as verifying identity through direct callbacks, making attacks more difficult to detect. Email phishing has also seen an evolution with the utilization of Language Learning Models (LLMs), which enable attackers to create more convincing and targeted spear phishing campaigns that are difficult to identify. The FBI’s Internet Crime Report 2023 highlights phishing as the dominant form of cybercrime, with AI-enhanced tools making it easier and cheaper for attackers to launch effective phishing operations on a larger scale. Cybersecurity strategies are urgently requiring an overhaul to adapt to these AI-driven threats, with recommendations for companies to enhance workforce training through simulated social engineering attacks to increase alertness and preparedness in real situations.

Microsoft has identified over 3,000 publicly accessible ASP.NET machine keys that could be exploited for malicious code injection. These keys are often found in public code repositories and could be inadvertently incorporated into development projects without modifications. An unknown threat actor was observed utilizing these static, publicly disclosed machine keys in December 2024 to deploy the Godzilla post-exploitation framework via ViewState code injection attacks. ViewState, a feature of ASP.NET, is used to preserve data across page postbacks but can be manipulated for code execution if the machine key is compromised. Microsoft documented that attackers could manipulate ViewState by using stolen or publicly available keys, allowing them to execute arbitrary code on the target server. In response to this cybersecurity threat, Microsoft urged developers not to use publicly sourced keys and recommended regular key rotation to mitigate risks. Additionally, Microsoft took corrective actions by removing key artifacts from instances within its own documentation to prevent misuse. The discovery coincides with reporting by Aqua on vulnerabilities in Kubernetes environments, highlighting ongoing challenges in cloud security and application management.

The Reserve Bank of India (RBI) announced the introduction of a new "bank.in" domain specifically for banks to combat cyber frauds in digital banking. This initiative aims to minimize cybersecurity threats, particularly phishing, and streamline secure financial transactions. The "bank.in" domain registration is set to commence in April 2025, with the Institute for Development and Research in Banking Technology (IDRBT) serving as the exclusive registrar. Additionally, the RBI plans to introduce a "fin.in" domain for non-bank financial entities to further safeguard digital financial services. Concurrently, the RBI is implementing Additional Factor of Authentication (AFA) for cross-border card-not-present transactions to enhance security and trust in online payments. AFA will introduce multi-factor authentication, adding an extra layer of security especially for transactions with overseas merchants equipped for AFA. RBI’s strategy indicates a broader effort to enhance trust and security in India's rapidly growing digital payments ecosystem.

Threat actors exploited flaws in SimpleHelp's RMM software for potential ransomware deployment. The vulnerabilities, now patched, allowed initial access and sustained control over victim networks. Field Effect identified the attack pattern including network discovery and administrator account creation using the compromised software. The vulnerabilities (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728) led to information disclosure, privilege escalation, and remote code execution. The attackers installed a Cloudflare tunnel to discreetly manage traffic and facilitate further malicious activities. Connection exists between this method and previously observed Akira ransomware tactics. Field Effect's intervention stopped the attack before the ransomware could be executed. Cyber defenses and software updates are critical as threat actors leverage such vulnerabilities for persistent network access.

Kaspersky researchers discovered a new malware, named SparkCat, embedded in the ComeCome iOS app, which has also been found in Google’s Play Store. The malware uses an OCR plugin to scan screenshots stored on mobile devices for cryptocurrency wallet recovery phrases, which are then exfiltrated to take over victims' wallets. Despite stringent checks by app stores, the infected apps containing SparkCat managed to slip through, with no external signs of malicious content. The compromised apps, according to Kaspersky, were particularly targeting users in Europe and Asia, with downloads exceeding 242,000 times across various apps. The sophisticated nature of SparkCat allows it to steal other sensitive information besides seed phrases, further endangering user privacy. Neither Google nor Apple had responded to inquiries about the presence of these malware-infected apps at the time of discovery. The Android version of the malicious app further interacts with Google's ML Kit for text recognition and communicates with a C2 server using a protocol written in Rust for data extraction and transmission. Apple has since removed the ComeCome app from its store, and similar actions have been reported on Google Play.

Ransomware payments declined by 35% in 2024, totaling $813.55 million compared to $1.25 billion in 2023, as per Chainalysis data. Improved data backups and law enforcement action have reduced the number of victims willing to pay ransoms. Despite an increase in ransomware attacks, fewer organizations opted to meet ransom demands, choosing other recovery methods or resisting payment on principle. High-profile law enforcement successes include dismantling major ransomware groups like BlackCat/AlphV and LockBit, although these groups eventually resumed activities. A shift in ransomware ecosystem dynamics highlighted the emergence of lone actors and small groups targeting mid-sized businesses with lower ransom demands. Enhanced preparedness and robust backup solutions are leading companies to recover data independently rather than paying ransoms. Governments and the insurance industry are increasingly advising against ransom payments, impacting the ransomware business model. Usage of cryptocurrency mixer services declined markedly in 2024, complicating criminals' attempts to anonymize ransom transactions and increasing the risks associated with ransomware operations.

Gravy Analytics is facing a lawsuit for failing to secure personal data, potentially affecting millions of smartphones. Allegations suggest 17 TB of data, including real-time locations from users' smartphones, was stolen and posted on a Russian cybercrime forum. The data breach was confirmed by Gravy Analytics on January 4, 2025, as reported to the Norwegian Data Protection Authority. Earlier lawsuits in New Jersey and Virginia also accused Gravy Analytics of similar data security lapses. The stolen data reportedly came from popular mobile apps like Tinder, Grindr, and MyFitnessPal, among others. The FTC had previously banned Gravy Analytics and its subsidiary Venntel from selling sensitive location data due to privacy concerns. The recent complaint suggests violations of California's Unfair Competition Law, among other allegations, with the plaintiff citing significant privacy risks. Gravy Analytics, a subsidiary of Unacast since 2023, claims it does not directly collect the data but licenses it from data providers.

Microsoft has noticed malware deployments through ViewState code injection in ASP.NET web applications. Attackers exploit static machine keys published online to manipulate ViewState data, allowing remote code execution on servers. The abuse targets improperly secured ASP.NET applications that use publicly documented machine keys without modifications. Detected cases include the use of the Godzilla framework which features capabilities such as command execution and shellcode injections. Microsoft identified over 3,000 publicly disclosed keys and removed examples from their documentation to combat misuse. Recommendations for developers include using secure key generation, encrypting sensitive elements, and upgrading to ASP.NET 4.8 to utilise Antimalware Scan Interface features. Microsoft suggests re-formatting and re-installing web-facing servers if exploitation is detected, indicating severe security risks tied to improperly managed keys.

A federal judge issued a temporary restraining order limiting the Department of Government Efficiency's (DOGE) access to sensitive U.S. Treasury payment systems to read-only for two specific aides following a privacy lawsuit. The lawsuit raises concerns over unauthorized disclosure of personal and financial data by Treasury Secretary Scott Bessent to DOGE, an agency with links to Elon Musk, without sufficient legal justification. Advocacy groups and unions, including the Alliance for Retired Americans and the American Federation of Government Employees, argue that the DOGE's access violated federal privacy protections. Reports suggest that DOGE members previously accessed critical systems across various federal agencies, potentially analyzing and manipulating sensitive data. Treasury systems, managed by the Bureau of the Fiscal Service, handle significant volumes of personal data due to their role in processing government payments and collections. The lawsuit contends that earlier permissions given to DOGE for extensive access to the Treasury's systems were unlawful, prompting the court's intervention to ensure data protection. The case has prompted a broader discussion on the safeguarding of personal information within government databases and the legality of access granted to external entities.

North Korean hacking group Kimsuky reportedly adopted a custom-built RDP Wrapper for remote access, indicating a shift in their attack methods. AhnLab Security Intelligence Center discovered the campaign, highlighting Kimsuky's move away from noisy backdoors towards more stealthy remote access tools. Kimsuky's recent attacks involve spear-phishing emails with malicious attachments disguised as legitimate documents to deploy their toolkit. The toolkit includes an altered RDP Wrapper to bypass antivirus detection, enabling undetected remote access and control. Secondary payloads dropped by Kimsuky on the compromised networks include keyloggers, information stealers, and in-memory payload execution tools. The group's use of a broad set of custom remote access tools aims to maintain prolonged access to compromised networks for espionage purposes. The upgraded attack chain and tools underline Kimsuky's persistent efforts in enhancing its cyber-espionage capabilities.